Windows Server 2003 TWP

Deploying & Supporting Windows Server 2003
Experiences of Early Adoption at Microsoft
Technical White Paper

Published: May 2003
CONTENTS
Executive Summary ................................................................................................................................................5 Introduction ..........................................................................................................................6 Overview of the Windows Server 2003 Operating System...............................................8 Product Family Editions 8 Business Benefits................................................................................................................9 Reliability 9 Scalability Security 9 10
Background..........................................................................................................................11 Organizational Background 11 Operational Background Lessons Learned from the Windows 2000 Deployment 13 15
Project Scope and Goals.....................................................................................................18 Project Scope 18 Server Deployment Goals Geographical Scope Product Scope 18 20 20
KEY FEATURES....................................................................................................................21 Application and Web Services 21 Availability and Performance Directory Services (DS) Forest Management DS Domain Management DHCP Backup Options File Service Improvements Security Miscellaneous Features 22 23 24 26 27 29 31
Deployment...........................................................................................................................33 Deployment Planning Stages 33 Benefits of the Technology Microsoft Line of Business Applications (LOB) 34 35
Lessons Learned..................................................................................................................38 Best Practices.......................................................................................................................39 Conclusion............................................................................................................................40 For Further Information.......................................................................................................41
Situation
Microsoft Corporation needed to take advantage of enhancements in security, availability and reliability with Windows Server 2003, and migrate all the corporate servers to the new software with minimal impact during migration.
EXECUTIVE SUMMARY
The internal Microsoft IT group holds the broad responsibility of running the company's internal networks, telecommunication systems, corporate servers, and line-of-business applications. Microsoft ITs mission is to provide an IT environment comprising services, applications, and infrastructure that helps provide availability, privacy, and security to all Microsoft employees worldwide, in the companys more than 400 locations. In addition to running the global IT service internally, the Microsoft IT group is also committed to testing Microsoft enterprise products in production before they are released to customers to ensure that products will scale to meet the business challenges of other large enterprises. The Microsoft IT groups customer service mission extends to sharing its best practices and lessons learned through case studies and white papers such as this one. Microsoft IT incorporated lessons learned from Microsoft corporate migration to the Windows 2000 platform into the Windows Server 2003 migration plan. In particular, having an up-to-date inventory of Microsoft IT assets, conducting detailed resource planning, having Active Directory directory service in place, and having validated our computer hardware versus the HAL greatly simplified the process. For enterprises not using Active Directory, Microsoft IT recommends that IT planners read the available documentation on the deployment of Windows 2000 Active Directory for additional help in planning a successful server deployment. This paper shares what Microsoft ITs Infrastructure Engineering group learned as a result of deploying Windows Server 2003, Enterprise Edition within Microsoft. Microsoft IT is sharing these experiences with customers so that they may use them to help successfully upgrade from Microsoft Windows 2000 to Windows Server 2003. Much of the information also applies to enterprise customers planning to upgrade to Windows Server 2003 from other Microsoft operating systems such as Microsoft Windows NT version 4.0.
Solution
Microsoft IT migrated the corporation to Windows Server 2003 by using a standard process and lessons learned from the migration to Windows Server 2000.
Benefits Reduced Downtime from

configuration changes at the OS level no Windows Server 2003 servers have been rebooted for an OS configuration change. Easier Administration through WMI command line tools and Remote Desktop for Administration. Increased Security: With the new Internet Explorer Enhanced Security configuration, only trusted sites are accessible from the servers. Increased Application availability through the ability for the business unit to run MSDTC independent of SQL Server.
Products & Technologies Windows Server 2003 Exchange Server 2003 Office System 2003 Terminal Server
Page 4 -4-
-4-
INTRODUCTION
The development of Windows Server 2003 is a major milestone for Microsoft. This product brings innovative new features that will benefit all enterprise customers, ranging from the network administrators using their managed desktop systems to the data center operations staff managing the most powerful servers found in the enterprise. For the deployment of Windows Server 2003, the Microsoft IT group based its plans on the best practices and lessons learned from the development, deployment, and support of each previously released versions of Windows. Microsoft products undergo four major phases in deployment as shown in Figure 1:
Future Technology. In this phase, the technology roadmap is developed, technologies are identified, and product strategies are developed. Integration Planning. In this phase, deployment goals and milestones are developed. Test and Pilot. In this phase, test scenarios and critical functionality are deployed in an isolated environment, limited load and stress testing takes place, and product interaction is tested. At the end of this phase, a product is certified as ready for deployment. Enterprise Deployment. In this phase, lessons learned from the test and pilot phases are incorporated, bugs are identified and prioritized, and the product is deployed to the enterprise. Sustain and Manage. In this phase, the day-to-day utility is managed and optimizations are identified and prioritized.
Figure 1: Product Deployment Phases Windows Server 2003 was deployed using the above process in order to validate its enterprise readiness. Every organization is unique, and therefore, each must develop its own plan for deploying Windows Server 2003. There were tasks in the Microsoft deployment plan that other
Deploying & Supporting Windows Server 2003 Page 5 -5-
-5-
organizations may never encounter or that would be completed at different times in the process, such as repeated operating system installations over several months. This paper discusses the issues that Microsoft IT encountered when planning and deploying Windows Server 2003 to its production enterprise infrastructure server computers. In particular, it describes some of the unique conditions at Microsoft and lessons learned from the earlier deployment of Windows 2000 that influenced the project planning methodology. Although this paper is not intended to serve as a step-by-step guide for deploying Windows Server 2003, Microsoft is sharing this information to assist its customers in deploying this product in their own environments. Note: For security reasons, the sample names of forests, domains, internal resources, and organizations used in this paper do not represent real resource names used within Microsoft and are for illustration purposes only.
Page 6 -6-
-6-
OVERVIEW SYSTEM
OF THE
WINDOWS SERVER 2003 OPERATING
The Windows Server 2003 family of server operating systems represents the next step in the ongoing evolution of the Windows Server family. Windows Server 2003 builds on the proven reliability, scalability, and manageability of Windows 2000 Server to deliver a productive infrastructure platform for powering connected applications, networks, and web services from the workgroup to the data center. Windows Server 2003 provides the high levels of dependability, scalability, and security that customers expect from a full-featured server operating system.
Product Family Editions

The Windows Server 2003 Family comprises four editions:
Windows Server 2003, Standard EditionThe server operating system for everyday needs of business of all sizes, providing the optimal solution for file and printer sharing, secure Internet connectivity, centralized desktop application deployment, and a connected environment among employees, partners, and customers. Windows Server 2003, Enterprise EditionThe platform for large enterprises as well as small- and medium-size businesses to develop, deliver, and secure applications, Web services, and infrastructure such as Domain Controllers delivering high reliability, performance, and superior business value. Enterprise Edition is available in both 32-bit and 64-bit editions. Windows Server 2003, Datacenter EditionThe server operating system for business-critical and mission-critical applications that require the highest levels of scalability and availability. Datacenter Edition is available through the Datacenter Program in both 32-bit and 64-bit editions. Windows Server 2003, Web EditionOptimized for serving and hosting web pages, while maintaining the core functionalities that support enhanced reliability, manageability, and security.
Note: Any reference made to Windows Server 2003 in this paper refers to Enterprise Edition unless otherwise specified. Microsoft does not deploy the Standard Edition version in its Microsoft IT IT infrastructure.
Page 7 -7-
-7-
BUSINESS BENEFITS
As with all beta software deployments at Microsoft, Microsoft IT began its work with extensive planning and careful consideration of business requirements and product capabilities. For example, Microsoft IT carefully defined the goals and project scope of the Windows Server 2003 deployment, to ensure that the deployment would satisfy Microsoft business requirements for new software products. Similar to most large enterprises, Microsoft prepared for operating in a mixed environment of Windows 2000 Server and Windows Server 2003 over a period of time. Windows Server 2003 had to demonstrate that its interoperability with Windows 2000 Serverbased computers was robust and reliable. Certain important new features in Windows Server 2003, such as enhanced forest functionality, require 100% of particular services to be upgraded. In these cases the goal for the final released version deployment was 100% upgrade. However, for most testing purposes Windows 2000 Server and Windows Server 2003 could be tested side-by-side. The key business requirements for Microsoft ITs migration to Windows Server 2003 were simple: proof of product reliability, scalability and security. A further requirement was a reduction in support costs. Each of these business requirements generated a set of specific deployment goals.
Reliability
The product reliability goal was intended to ensure operational stability on a set of servers that were representative of the workloads deployed by customers in the field of servers. The product had to run continuously with better than 99.99% availability of the Operating System (OS). Any downtime attributed to an OS failure was carefully analyzed and, when appropriate, changes were made to Windows Server 2003 to prevent future occurrences. Windows Server 2003 also provides improved availability through enhanced clustering support. Clustering services have become essential for organizations deploying businesscritical, e-commerce, and line-of-business applications because they provide significant improvements in availability, scalability, and manageability. Windows Server 2003 Data Center Edition supports server clusters of up to 8 nodes for failover. If one of the nodes in a cluster becomes unavailable because of failure or maintenance requirements, another node immediately begins providing the service. Windows Server 2003 also supports network load balancing (NLB) clusters, which balance incoming Internet Protocol (IP) traffic across the nodes in the cluster.
Scalability
Windows Server 2003 provides scalability through scale-up and scale-out capabilities. Scaleup is the ability of the operating system to accomplish more or larger tasks on one machine. Scale-out is the ability to distribute tasks across multiple machines; for example, the use of NLB to permit additional IIS servers to appear as one. Windows Server 2003 scales from single processor solutions all the way up to 32-way systems, and also supports both 32-bit and 64-bit architecture processors. Internal tests indicate that, compared to Windows 2000 Server, Windows Server 2003 delivers better performance in File and Print Services, the Active Directory service, Web server and Terminal Server components.
Page 8 -8-
-8-
Security
Efficient and secure networked computing is more important than ever. Windows Server 2003 lets organizations take advantage of existing IT investments, and extends those advantages to partners, customers, and suppliers by deploying key features like cross-forest trusts in the Active Directory service. Identity management in Active Directory spans the entire network, helping ensure security throughout the enterprise. It is easy to encrypt sensitive data, and software restriction policies can be used to prevent damage caused by viruses and other malicious code. These capabilities make Windows Server 2003 the best choice for deploying a public key infrastructure (PKI), and its auto-enrollment and autorenewal features make it easy to deploy smart cards and certificates across the enterprise. In addition, businesses have extended the traditional local area network (LAN) by combining intranets, extranets, and Internet sites. As a result, increased system security is now more critical than ever before. As part of Microsoft commitment to reliable, secure, and dependable computing, the company has intensely reviewed the Windows Server 2003 family to identify possible failure points and exploitable weaknesses. Windows Server 2003 provides many important new security features and improvements including:
Internet Information Services 6.0

To increase Web server security, Internet Information Services (IIS) 6.0 is configured for maximum security out-of-the-box, and is not automatically turned on after new operating system installations. IIS 6.0 and Windows Server 2003 provide a dependable, productive, connected, and integrated Web server solution. These are among the many new features in IIS 6.0 that enable companies to conduct business more securely on the Web.
Lower Support Costs

Microsoft designed Windows Server 2003 to help companies build the value of their business while keeping costs down. The reliability of Windows Server 2003 helps control costs by reducing outages and downtime. Windows Server 2003 has the flexibility to scale up (use larger, more powerful servers) and scale out (connect multiple servers) in response to demand. Powerful management and configuration tools in Windows Server 2003 allow businesses to deploy and manage systems easily and efficiently. Compatibility with legacy applications and third-party products means organizations will minimize the loss of their investment in existing infrastructure. In order to improve reliability and security, some legacy compatibility support has been removed.
New Capabilities
Another benefit for Microsoft IT is the ability to take advantage of new features and capabilities, such as Domain Rename, Cross-Forest Trust, Install Replica from Media capabilities, 8-node clustering support and much more. These features and capabilities in Windows Server 2003 are discussed in detail later in this paper in the sections titled Key Features and Benefits of the Technology.
Page 9 -9-
-9-
BACKGROUND
Organizational Background
Like other global enterprises, Microsoft IT is organized into functional groups, including those that run the IT utility and those responsible for human resources, finance, legal, and other business processes.
The Team Model

For deployment design and planning issues, Microsoft IT followed the Microsoft Solutions Framework (MSF) team model. MSF provides a flexible, interrelated series of models that help guide an organization through assembling the resources, people, and techniques needed to bring technology infrastructure in line with business objectives. Likewise, the Microsoft Operations Framework (MOF) team model offers guidelines for deployment and service management based on a set of consistent quality goals. These best practice guidelines are gathered from the evolution of the MSF and MOF models, Microsoft Consulting Services practices, Microsoft IT, the international Information Technology Infrastructure Library (ITIL), and Microsoft business partners. Essentially, the MSF and MOF team models offer a set of successful organizational frameworks for processes such as software development, deployment, and other Microsoft IT operations such as support and management.
Deployment Team Structure

Microsoft IT deploys software using small, multidisciplinary, virtual teams. Participants are normally located in functional groups, but come together to support the deployment of a product. Upon completion of the deployment, the participants return to their functional teams. The deployment team members share responsibilities and share a common project vision with a focus on deploying the project and ensuring high quality standards. The members work together as peers, with each member having a defined role or roles, and with each role taking the focus at different points in the process. The groups involved in Microsoft ITs Windows Server 2003 deployment included:
Technology Integration and Planning (TIP). Manages Microsoft ITs execution of its responsibility as the Microsoft First and Best Customer by leading and coordinating the adoption of enterprise technology. Messaging and Collaboration Services (MACS). Manages such services as messaging (Exchange) and collaboration services such as SharePoint Team Services. This group also manages the implementation, administration, automation, and continued integration of the Active Directory service. Enterprise Infrastructure Services (EIS). Provides engineering, design, and implementation assistance worldwide for Microsoft businesses and users in such service areas as telecom, satellite and cable systems, backbone engineering, and systems engineering. Manages global end-to-end hosting services and support operations for corporate IT infrastructure, site operations, service management, release management, and network, computer systems, and core telephony operations. Client Services IT (CSIT). Provides enterprise-wide help desk services, including network serverbased solutions, intranet-based applications, and e-mail (messaging, public folders, and chats).
Page 10 - 10 -
- 10 -
Enterprise Application Services (EAS). Develops and supports key cross-business applications, help desk applications, data warehouse applications, and batch job management. Corporate Security Compliance and Anti-Piracy (Corporate Security) (CS). Consists of several groups that provide physical security, information security, and anti-piracy services. Regional IT (RIT). For users located outside of the Puget Sound area of western Washington, RIT manages IT-to-business relationships, oversees infrastructure program management, partners with EIS to provide infrastructure operations and regional service management, and manages IT activities on mergers, acquisitions, and divestitures. Business Unit IT (BUIT). Decentralized groups that provide LOB applications for specific business functions such as HR systems, Finance systems, and Operations systems. Product development groups for Windows and Microsoft Exchange. User Documentation Group. Because Microsoft IT usually deploys a product so early in its development cycle that product documentation is not yet complete, user documentation groups are also involved as observers in various stages of the deployment.
These groups provide the staff, computing resources, and functional expertise necessary to create the virtual team. Each organization leverages their individual business processes and technical know-how. A Program Manager from TIP serves as the overall project manager, which each group providing their own program managers and technical experts based on the assigned roles and responsibilities.
O GS ng T teeri C mtee om it
P G roduct roup E utiv xec e
T ogy echnol Integration& Panning(T ) l IP P rogram M anagers
P t roduc G Liais roup on
M aging& ess C laboration ol
Cient S ic l erv es
E s nterpri e A ic ons ppl ati
E IS
Drectory i M anagem ent
Gobal l R onal egi C orporate Infras ture truc Figure 2: urity MicrosoftnITng Deployment Team Structure O ons perati IT S ec E eeri ngi
Page 11 - 11 -
- 11 -
Collectively, the teams responsibility is to plan and deliver the deployment within project and business constraints. Team members identify areas for improvement in the product and in the production environment, estimate the impact of such problems on the project, identify how the functionality of the product is affected, and develop and execute resolution plans.
Operational Background
Datacenter Classifications
Microsoft IT defines three classes of data centers: (1) enterprise data centers; (2) regional data centers; and (3) site data rooms. Enterprise data centers are placed where the majority of employees are located. Regional data centers are geographically dispersed and primarily house networking equipment needed to connect site data rooms with enterprise data centers. Site data rooms are typically located at the subsidiaries. Site data rooms are not within data centers, but rather are the server and cable rooms for regional offices. Enterprise Data Centers Microsoft data centers house thousands of corporate and Internet servers, managing more than 1000 terabytes (TB) of data. The staff who operate the enterprise data centers are responsible for managing and monitoring global network activity, corporate enterprise products and services (such as Exchange Server and SQL Server), and video teleconferencing and telephony systems. Regional Data Centers Microsoft operates many regional data centers around the globe. Microsoft regional data centers have fewer servers than enterprise data centers, because they serve far fewer employees than do the companys three enterprise data centers. Generally, the regional data centers run smaller, more distributed applications than those deployed in enterprise data centers, and they provide Internet access to each region. Also, in contrast to the enterprise data centers, the regional data centers usually do not have dedicated on-site staff but are administered remotely. Site Data Rooms At the time of the Windows Server 2003 deployment, nearly every Microsoft subsidiary office had a site data room capable of securely storing a small Windows 2000 Enterprise Server based infrastructure to serve the needs of employees working there. The infrastructure consists of several computers running the Windows 2000 Enterprise Server operating system, providing Active Directory services, Domain Name Service (DNS), proxy service, email, file, print, and remote access. This infrastructure enables employees to log on to a network securely and access shared data within the subsidiary, collaborate with other employees in the subsidiary and print locally stored documents with or without physical network connectivity to a larger regional facility. The DHCP infrastructure is used to configure client computers to access a regional Microsoft Internet Security and Acceleration (ISA) Server array.
System Requirements
The majority of existing Microsoft infrastructure servers already met the minimum hardware requirements for Windows Server 2003. The hardware requirements for the types of servers Microsoft deployed, including Enterprise Edition, Datacenter Edition, Enterprise Edition 64-bit
Page 12 - 12 -
- 12 -
and Datacenter Edition 64-bit, are detailed in Table 1 below. All server computers purchased by Microsoft IT conform to the Hardware Compatibility List (HCL) specifications.
Area Enterprise Edition 18 133 MHz 733 MHz 128 MB Enterprise Datacenter Edition 64Edition bit 832 400 MHz 733 MHz 512 MB 1 GB 64 GB 1.5 GB VGA SVGA (800x600) or higher 18 733 MHz 733 MHz 128 MB 256 MB 64 GB 2.0 GB VGA SVGA (800x600) or higher Datacenter Edition 64bit 832 733 MHz 733 MHz 512 MB 1 GB 128 GB 2.0 GB VGA SVGA (800x600) or higher
Number of CPUs supported Minimum CPU speed Recommended minimum CPU speed Minimum RAM
Recommended minimum RAM 256 MB Maximum RAM Minimum free disk space for setup Minimum monitor/display 32 GB 1.5 GB VGA
SVGA Recommended monitor/display (800x600) or higher
Table 1: Windows Server 2003 Hardware Requirements
Application Compatibility
The vast majority of the nearly 1,000 lines of business applications at Microsoft are 32-bit applications that run successfully on Windows 2000 Servers and work with Windows XP and Windows 2000 Professional clients. For Microsoft IT, as well as for other organizations moving to Windows Server 2003 from a Windows 2000 domain environment, the migration and testing effort is not as significant as for those organizations moving from a non-Windows 2000 environment. Primarily due to the security changes that occurred in the product, Microsoft IT had to ensure that its server based applications were compatible with Windows Server 2003.
Network Structure
While a variety of network protocols are run for development and testing purposes on the Microsoft corporate network, the environment is primarily Transmission Control Protocol/Internet Protocol (TCP/IP)based, so no structural change was required for the project. At the time of the deployment, the internal corporate network physical topology contained:
More than 250 wide area network (WAN) circuits More than 24,000 wireless devices More than 3,000 wireless access points More than 3,300 IP subnets More than 1,800 routers
Page 13 - 13 -
- 13 -
More than 2,600 network layer 2 switches More than 275 ATM switches More than 8,800 world wide servers More than 350,000 LAN ports
After taking into account the normal growth of Microsoft, the infrastructure built for Windows 2000 was the same as that required for Windows Server 2003. No additional network capacity was needed to support it.
Forest and Domain Structure

Microsoft IT has a multiple forests and domains within the corporate infrastructure. One forest is used for most of the daily operations of the corporation. There are three additional forests that have been created for development purposes and for staging new features prior to deployment in the corporate forest. In addition, there is one forest, the extranet, that is used for partner access to corporate resources. Multiple forests in this design allow Microsoft IT to centrally manage development forest users and groups and other corporate network resources, yet isolate the production environment from changes in the Active Directory schema that are necessary in the product development environments. The Microsoft corporate forest structure consists of five primary corporate forests as follows:
Name # of Domain Controllers 203 8 5 8 40 Users Domain s 9 Domain Controller Operating System Windows Server 2003 Windows Server 2003 2 2 3 Windows 2000 SP4 Windows Server 2003 Windows 2000 SP3
Corporate Windows Deploy Sustained Engineering Secondary Corporate Extranet
65,000 3,000 1,000 2,000 26,000
Table 2: Microsoft Corporate Forests
Lessons Learned from the Windows 2000 Deployment

For the Windows Server 2003 deployment, Microsoft IT started with an examination of the many lessons learned in the Windows 2000 Enterprise Server deployment. The following section presents some of those lessons.
Planning
Manage Assets Carefully Planning for a company-wide software deployment requires Microsoft IT to evaluate some of its business processes to determine how to best use new technology. It is important to obtain accurate hardware and software inventory of server components to understand the infrastructure requirements for a new software deployment. For example, utilizing the new Active Directory features requires that all domain controllers be running Windows Server 2003.
Deploying & Supporting Windows Server 2003 Page 14 - 14 -
- 14 -
Identify Dependencies When Microsoft upgraded to Windows 2000, one area where problems were apparent during early testing was application dependencies. Most core technologies of Windows 2000 were dependent upon the availability of other base technologies. For example, in the Windows 2000 deployment, the most important business application dependency came from Exchange, as it was the heaviest user of the Active Directory service and tolerated the least amount of system downtime or slow response times. To mitigate this issue, Microsoft IT completed early prioritized testing activities to identify application dependencies between products. Then, these products were installed in the staging forest to validate their functionality at each milestone prior to deploying in the corporate forest. Use a Lab Test Environment Early in the planning stages of the Windows 2000 deployment, Microsoft IT constructed a test lab. As a rule, every step of the deployment was tested in the lab before being put into production. Performing tests in a lab mitigated some of the risks associated with deploying beta software. In particular, it reduced the potential for disruption caused by incompatibility between Windows 2000 and the applications that Microsoft employees typically run on their computers. The test lab also proved to be valuable for learning how to upgrade and how to perform trial runs since at that early stage of the product development cycle, no detailed installation documents existed. Because the test lab environment replicated the trust relationships of the production environment, staff members were able to use the lab for professional training for the new features. Plan Site Definitions As with most aspects of deployment, planning site definitions requires thorough coordination of work across disparate groups. For site definitions, network and systems personnel must collaborate to make sure that the replication needs are matched by sufficient bandwidth for the needed transport. The Windows 2000 Active Directory deployment triggered an examination of links and available bandwidth between locations to provide the site definitions that Active Directory requires. An Active Directory site can span several geographic locations (such as three different countries) and domains. For the Windows Server 2003 deployment, another re-examination of site definitions and boundaries was conducted to ensure the most efficient use of network bandwidth. The reexamination concluded that the Windows 2000 site definitions were still appropriate for the Windows Server 2003 deployment. Communicate Widely Through previous experience of other operating system deployment projects, Microsoft IT has learned some key lessons about the importance of communication during a project. Deployment teams need to establish regular communication methods to convey what they plan to do and when they plan to do it. Additionally, they must communicate quickly when problems arise, and they must communicate consistent and quick status when issues are resolved and projects are complete.
Page 15 - 15 -
- 15 -
For the Windows Server 2003 deployment, specific e-mail distribution lists were created for each project team and for cross-group communication. Manage the Deployment Process Deploying new technology is the core competency and top priority of Microsoft IT. Although some aspects of the management process resemble any other project, the risks associated with deployment of a new server operating system require a more rigorous project management methodology. The deployment team must have a realistic schedule, welldefined goals, a thorough understanding of product dependencies, and the staffing resources to manage and implement the deployment.
Page 16 - 16 -
- 16 -
PROJECT SCOPE
Project Scope
AND
GOALS
To define the scope of the beta deployment of Windows Server 2003, Microsoft IT worked with various product development teams to establish shared goals. Together, the groups identified the following approach:
Engage the product development and Microsoft IT teams to manage the deployment as a comprehensive program. Use the Microsoft IT environment as a pre-release enterprise testing environment for the deployment of Windows Server 2003. Stress test product features, track the resolution of implementation defects and design change requests (DCRs), and provide feedback on these issues to product development. To have the corporate forest running in Windows forest functional mode prior to the product release to market. Improve the Microsoft IT environment through the implementation of new products features. Develop a repeatable deployment process for future use. Reduce support overhead and administrative costs of a large infrastructure of network servers.
After defining the goals of the project, scenarios and metrics for measuring the progress of each deployment were developed. The scenarios helped the teams identify gaps and overlaps while the metrics measured product quality and progress toward the completion of the goals. Aside from defining the work to be performed, the metrics enabled Microsoft IT to quantify results, by keeping track of, for example, the number of computers, number of Exchange Server mailboxes, and number of LOB applications that were using Windows Server 2003 at any given time. The metrics were also used to time and phase the project dependencies.
Server Deployment Goals

Microsoft IT and the product development team also developed goals for deploying Windows Server 2003 in various functional scenarios, including:
Domain Controllers
As the providers of the Active Directory based security and trust boundaries, domain controllers are the most important infrastructure services. Their importance is also amplified by the direct relationship between Active Directory and Exchange. While some DCs are stand-alone, smaller sites having dedicated domain controllers are not economical, or logistically feasible. As a result, consolidated server platforms were developed to host multiple services.
Page 17 - 17 -
- 17 -
As the program progressed, a great service availability benefit was realized by segregating end user services from infrastructure services in two standard server configurations: 1. 2. Base Infrastructure Platform (BIP). This includes domain controller, global catalog, DNS, and DHCP services. User Services Platform (USP). This offers hosting, file share, print, and IntelliMirror services.
Windows Server 2003 Forest Functionality

A prerequisite for Windows Server 2003 Forest Mode is having all domain controllers running Windows Server 2003. In order to provide sufficient run-time and large enterprise experience, Microsoft IT enabled Windows Server 2003 Forest Mode in two forests the Windows Deploy and Corporate production forests. The Windows Deploy forest is a newly created forest that is used as a pre-staging environment prior to configuration and feature deployment in the corporate forest.
Single Service Infrastructure Servers

In some locations within Microsoft, for example in the data centers, there are single service infrastructure servers hosting some or all of the following core infrastructure services:
Dynamic Host Configuration Protocol (DHCP) Domain Name System (DNS) Windows Internet Naming Services (WINS) Internet Security and Acceleration (ISA) Virtual Private Network (VPN) Terminal Services, System Management Server SMS.
Exchange mailboxes
The project goal was to have 5,400 mailboxes on Exchange servers running both Exchange Server 2003 and Windows Server 2003 at the time of the Windows Server 2003 launch. Exchange Server 2003 was still a beta product at the time of writing; however, at this time, Microsoft has over 19,000 user mailboxes running on Exchange server 2003 and Windows Server 2003. It is important to note that Exchange 2000 servers running on Windows 2000 can interoperate with domain controllers running either Windows 2000 or Windows 2003.
File Servers
Microsoft IT provides dozens of stand-alone servers for both enterprise-wide and departmental file storage. The goal was to upgrade a subset (60) of these servers at each milestone to allow testing and monitoring, installation and infrastructure functionality.
Print Server Upgrade

Microsoft IT provides 28 centralized print servers in the Puget Sound area and selective larger sites around the world. The goal was to upgrade all 28 print servers at each milestone. In order to allow for proper testing and monitoring, 27 print servers were actually upgraded at each milestone providing over 95% of the service on the latest iteration of the operating system.
- 18 -
My Documents Servers
One of the client IntelliMirror features of Windows 2000 and Windows XP is Folder Redirection. Folder Redirection is a way to place user data on network shares for easy user retrieval when users roam to different computers on the network. Microsoft IT offers a service where users can choose to redirect their My Documents folder, usually stored on the user's local hard disk, to a network location so that the documents in the folder are routinely backed up and available to that user from any computer on the network.
Upgrade Server Applications

A minimum number of servers running existing line-of-business (LOB) applications were upgraded to Windows Server 2003 to provide both feedback to the product group and to showcase a handful of live production applications prior to RTM. A selective list of 20 applications that together exercised the full spectrum of the operating system code were chosen to be upgraded once or more during the deployment. This list include a number of key enterprise wide application such as SAP R/3, Siebel, Clarify and Microsoft.com, and some internally developed LOB applications to support Sales, Marketing, Finance, Purchasing and Operations.
Reliability
Operating system specific failures on a sample set of servers representing all server types in production at Microsoft were studied over a 21-day period prior to each milestone release starting with RC1. Information was collected using an internally developed availability) system on a server-by-server basis. Once the servers were identified, added to the data collection process, and a critical mass was obtained, trends were then tracked. The goal was to demonstrate better reliability than the 99.8% availability achieved for Windows 2000. Microsoft IT measured OS availability of better than 99.99% during this project. Any downtime attributed to the OS was carefully analyzed and, when appropriate, changes were made to Windows Server 2003 to prevent future occurrences.
Geographical Scope
This was a worldwide deployment program with servers located in 65 different countries scheduled for upgrade at various milestones. There were over 200 domain controllers alone that were upgraded several times during the project. Accomplishing this in a timely manner without any user downtime required careful planning and coordination across multiple regions. Consideration needed to be given to support the various releases for specific languages as appropriate.
Product Scope
The majority of Windows Server 2003 deployment goals focused on upgrading computers running Windows 2000 Enterprise Server that resided within the Corporate forest. The Corporate forest was selected because it was the largest and most complex computing infrastructure within Microsoft. Microsoft IT focused on piloting and deploying Windows Server 2003 Enterprise Edition and limited deployment of the Datacenter and Windows 64-bit Editions. Piloting or deployment of the Standard Edition was not included in the scope of this project.
Page 19 - 19 -
- 19 -
KEY FEATURES
As new features within Windows Server 2003 were designed and became available, representatives from product development groups and Microsoft IT met to determine which features to test, pilot, and deploy with Microsoft IT. Each deployed feature was carefully analyzed to validate that there was a valid business reason for deploying in the Microsoft IT infrastructure.
Application and Web Services

Improved IIS Reliability, Scalability and Performance
Increasing the speed at which HTTP requests can be processed and allowing more applications and sites to run on one server translates directly into fewer web servers needed to host a site. It also means that existing hardware investments can be sustained longer while being able to handle greater capacity. Microsoft Internet Information Services (IIS) 6.0 with Windows Server 2003 provides Microsoft IT with integrated, reliable, scalable, and better performing web server capabilities over an intranet, the Internet, or an extranet. In addition, if a fault occurs in IIS 6.0, the worker process will automatically be restarted without an administrator needing to restart IIS (let alone reboot the server). With Windows 2000, the server had to be rebooted in order to clear the fault.
IIS 6.0 Reliability

IIS 6.0 provides a smarter and more dependable web server environment for optimal reliability due to fewer server errors. This is achieved by building a new process model that provides a more robust application isolation environment that enables individual web applications to function as self-contained web service processes. If a service is running poorly, it can be restarted without affecting the website. In the past, the whole server had to be rebooted to correct these types of problems. Now, only the particular problem service has to be recycled, and IIS has a self-monitoring mechanism to check for services that are not running optimally. It then restarts (or resets) those services thus preventing one faulty application or Web site from stopping another from working. It also includes application health monitoring and automatic application recycling. These reliability features increase availability and eliminate the time that Microsoft IT administrators spend restarting Internet servers.
IIS 6.0 Scalability

IIS 6.0 is tuned to provide optimized scalability and consolidation capabilities that get the most from every web server. IIS 6.0 optimization means that the Microsoft IT system overhead per web application is dramatically lowered. It allows an administrator to control the CPU and memory, hat a particular application is using during its execution time. Optimizations allow for greatly increased throughput as more processors are added to a server, resulting in spare capacity without adding servers and adding to the overall operational management overhead. Preliminary Microsoft IT tests have shown that IIS 6.0 has increased throughput by as much as 80% on a single processor system and by 100% on a 4-processor system when compared to IIS 5.0.
Page 20 - 20 -
- 20 -
IIS 6.0 Performance

These process isolation and optimization improvements make IIS 6.0 capable of consolidating thousands of applications per machine while providing granular administrative control over those applications. Preliminary Microsoft IT tests have shown that IIS 6.0 can handle over 30,000 pooled applications (compared to 2,500 pooled apps on IIS 5.0), and also have run as many as 500 isolated applications on a single server, each with its own security identity.
Availability and Performance

New and upgraded features providing increased performance and availability in Windows Server 2003 include improved and increased cluster support, support for 64-bit architecture and applications, and support for logging performance monitor data to SQL Server.
Improved and Increased Cluster Support

In the Windows Server 2003 Datacenter Server Edition, the maximum supported cluster size has been increased to 8-nodes from the 4-nodes supported in Windows 2000. The maximum supported cluster size for the Enterprise Server Edition is now 8 nodes, an increase from the 2-node support provided in Windows 2000 Advanced Server. This change was made to allow increased flexibility for deployments: particularly for geographically dispersed cluster configurations, and to support N+1 configurations (N active with 1 spare). By increasing the number of nodes in a server cluster, Microsoft IT administrators have more options for deploying applications and providing failover policies that match business expectations and risks. Larger server clusters provide more flexibility in building multi-site, geographically dispersed clusters that provide for disaster tolerance, as well as traditional node and/or application failure. Other new features or improved functionality of the clustering service in Windows Server 2003 include the following:
Easier setup and configuration Active Directory integration 64-bit support Distributed File System (DFS) and Offline Files support
Note: For more information on improvements to the Clustering Service in Windows Server 2003, see www.microsoft.com/windowsserver2003/technologies/clustering/default.mspx.
Page 21 - 21 -
- 21 -
Support for 64-Bit Architecture and Applications

Windows Server 2003, Enterprise Edition and Datacenter Edition are each available in 64-bit versions for computers running the Intel Itaniumbased processor family. 64-bit capability enables computing intensive tasks such as online data processing, large-scale data warehousing, e-commerce, high-end graphics, and multimedia. One of the key features that 64-bit support provides is increased linear memory addressing capabilities. The 32-bit platform is somewhat restricted in its use of memory above 4GB and has to use paged memory stored on disc as a work-around, but the 64-bit platform is not restricted to the same memory limits and can theoretically provide linear memory addressing of more than 16 exabytes (one exabyte equals one billion gigabytes). With this increased addressable memory available in 64-bit systems, Microsoft IT can run more applications in physical memory and avoid paging to the slower hard disks. Windows Server 2003 also supports a larger number of users and enables enhanced performance because applications can store more data in memory, a benefit that improves data access and can lower total cost of ownership (TCO).
Performance Monitor Logging To SQL Server

Windows Server 2003 allows performance monitor logs to be sent directly to a SQL database. When investigating a problem with a particular performance issue, a Microsoft IT administrator can open up the performance monitor, query SQL Server and pull in the relevant counters to find the relevant historical data. This feature can be easily set up and configured by using an ODBC connection between the client or server machine that is storing the logs and a SQL Server database. Microsoft IT uses this system to test the quality of their builds by logging server optimization data and then using the data to track server availability. The biggest benefit here is that performance data is logged directly into SQL Server, thus allowing the use of the power of SQL Server for analysis etc.
Directory Services (DS) Forest Management

Windows Server 2003, includes domain and forest functional levels. The functional levels available are dependent on the operating systems running on the domain controllers in the forest. Some new features, such as Domain Rename and Cross Forest Trust, are only available in a forest running at the Windows Server 2003 forest functional level. Note: For more information on domain and forest functional levels and how to enable them, see www.microsoft.com/technet/prodtechnol/windowsnetserver/evaluate/cpp/reskit/adsec/ part1/rkpdsefl.asp.
Cross-Forest Trusts
In the Windows Server 2003 family, Active Directory has been enhanced with some additional security features that make it easier to manage multiple forests and cross-domain trusts. Note: The Windows Server 2003 Forest Functional Mode level is required for this feature.
Page 22 - 22 -
- 22 -
A Forest Trust is a new type of Windows trust for managing the security relationship between two forests. This feature vastly simplifies cross-forest security administration and enables the trusting forest to enforce constraints on specific security principal names that it trusts other forests to authenticate. For companies with multiple forests, or companies that work with a trusted partner that has their own forest, this feature simplifies trust management by allowing administrators to set up one transitive trust rather than trusts between each separate domain in each forest. Both forests have to be running at Windows Server 2003 forest functional mode to use this new feature. Cross forest trust allows administrators to set permissions based on users or groups that are resident in the other forest. Active Directory then enables authentication and authorization to take place across the forest boundary.
Trust Management
A new wizard simplifies creating all types of trust links, including forest trusts. A new property page enables management of the trusted namespaces associated with forest trusts.
Trusted Namespaces
Trusted namespaces are used to route authentication and authorization requests for security principals whose accounts are maintained in a trusted forest. The domain, user principal name (UPN), service principal name (SPN) and security identifier (SID) namespaces that a forest publishes are automatically collected when a forest trust is created, and refreshed by the Active Directory Domains and Trust user interface. A forest is trusted to be authoritative for the namespaces it publishes as long as the second forest does not have identical trusted namespaces from existing forest trust relationships.
Overlapping trusted namespaces are automatically disabled. Administrators can also manually disable individual trusted namespaces.
DS Domain Management
Optimized Caching
Windows 2000 limited how much cache could be used for the Active Directory database on 32-bit systems. (There was an option to add a switch to the BOOT.INI file that allowed the system to use up to approximately 1GB of memory to improve caching performance.) In Windows Server 2003 64-bit edition, however, the cache limitation no longer exists, allowing the system to use all available memory for the Active Directory database (also known as the DIT file). Microsoft IT has seen their database cache grow up to 2.4GB on 64-bit systems, which has increased directory performance In Windows Server 2003, the domain controller can simply be renamed and then rebooted in some domains over 90% were renamed using this capability. Overall, about 40% in the Corp Forest were renamed. Note: The Windows Server 2003 Forest Functional Mode level is not required for this feature.
Page 23 - 23 -
- 23 -
Deactivation of Schema Attributes and Classes

Active Directory in Windows Server 2003 has been enhanced to allow the deactivation of attributes and class definitions in the Active Directory schema. Attributes and classes can be redefined if an error was made in the original definition. In Windows 2000 attributes could only be deactivated, but not redefined, so if mistakes were made when creating new attributes, they remained in the schema. Deactivation provides the ability to supercede the definition of an attribute or class after it has been added to the schema if an error was made in setting an immutable property. It is a reversible operation, allowing administrators to undo an accidental deactivation without sideaffects. Microsoft IT administrators now have greater flexibility with respect to their Active Directory schema management. Note: The Windows Server 2003 Forest Functional Mode level is required for this feature.
Single Instance Storage (SIS)

In Windows 2000 Server, all security descriptors for a particular Active Directory object were attached to the object. The security descriptor is a fairly large attribute. Many common security descriptors were used repeatedly for multiple Active Directory objects. For example, all user accounts in one specific OU tend to have the same security descriptor. This caused a lot of database space to be utilized for storing identical data. In Windows Server 2003, with the Single Instance Storage feature, only unique security descriptors are stored individually for each object, and pointers to common security descriptors are now used instead of storing each one separately for each object. For Microsoft IT this feature reduced the size of the Active Directory database by about 40%. Note: The Windows Server 2003 Forest Functional Mode is not required for this capability.
Partial Attribute Set Change

In Windows Server 2003, the global catalog synchronization state is preserved rather than reset, minimizing the work generated as a result of a Partial Attribute Set (PAS) change in membership by only transmitting attributes that were added or changed. The overall benefit to Microsoft IT has been a reduction in replication traffic and more efficient PAS updates. This only works between Windows Server 2003 Global Catalog servers.
Install Replica from Media

Instead of replicating a complete copy of the Active Directory database over the network, this feature allows an Microsoft IT administrator to source initial replication from files created when backing up an existing domain controller or global catalog server. The backup files, generated by any Active Directory-aware backup utility, can be transported to the candidate domain controller using media such as tape, CD, DVD, or even via file copy over a network. Slow bandwidth increases the time for a domain controller to be fully replicated. Using this feature, Microsoft IT administrators have reduced the time it takes to rebuild a domain controller from several days, to just hours. During the Windows Server 2003 deployment specifically, Microsoft IT saved time by utilizing this feature. Microsoft IT is now able to install a new server into production within hours instead of days, anywhere in the world. Note: The Windows Server 2003 Forest Functional Mode is not required for this feature.
- 24 -
Domain Controller Rename

In any large environment, hardware upgrades and attrition can result in an incomprehensible, disjointed naming structure for servers. In Windows 2000, renaming a domain controller was only possible by first demoting the domain controller to be a member server by using the DCPROMO tool, renaming the member server, and then using the DCPROMO tool again to re-promote the server. In large enterprise networks, the replication time could take several days to complete, and required a large amount of administrative work, high levels of security credentials, and potential impact to end users. Note: The Windows Server 2003 Domain Functional Level is required for this feature.
Linked Value Replication

When a forest is advanced to Windows Server 2003 Forest Mode, the method by which changes to group membership are replicated has been changed to store and replicate values for individual members instead of treating the entire membership as a single unit. So, when a change to a group occurs, only the change is replicated rather than the entire group. In Windows 2000, when simultaneous updates would occur, there could only be one winner if two updates occurred simultaneously, so there was the potential for one change to be lost Windows Server 2003 allows for simultaneous updates to synchronize so there is no lost data. For Microsoft IT, linked value replication has resulted in lower network bandwidth and processor usage during replication and reduces the possibility of losing group membership changes when updates are made simultaneously on domain controllers in two separate locations. Note: The Windows Server 2003 Forest Functional Mode is not required for this feature.
DHCP Backup Options

Previously in Windows 2000 Server, moving a database from one physical server to another required multiple actions including importing registry keys as well as moving the key database files. The new Windows Server 2003 DHCP MMC snap-in now provides new menu items for backup and restore of DHCP databases. When the user chooses either of these menu items, a browser window appears to offer the selection of a location, and allows the user to create new folders. As a result, backup and restore can easily be managed via a single interface in the MMC. Another very valuable new feature is the addition of the new export/import functionality. This feature allows the import and export of the entire database and configuration or just a single scope to another DHCP server. For Microsoft IT this feature has saved time and eased the process of moving the DHCP server service to new hardware. After installing DHCP on Server B making sure that the database, audit, and backup locations are the same, the Backup/Restore process is now as simple as backing up the database on the Server A, copying the files from Server A to Server B, and then restoring the files on Server B. The import/export functionality allows Microsoft IT to easily migrate scopes between DHCP servers for maintenance or to restore a DHCP server to new hardware in the event of server failure.
- 25 -
File Service Improvements

Shadow Copy Restore
Windows Server 2003 includes a new feature called Shadow Copy that addresses the problem of losing data through human error. A shadow copy is a previous version of a file. Using shadow copies, a Windows Server 2003-based file server will efficiently and transparently maintain a set of previous versions of all files on the file server. The Shadow Copy Restore client-side service provides consistent, point-in-time versions for network shares. Users can immediately recover accidentally deleted files or folders on network shares without requiring system administrator intervention. Users can do this in Windows Explorer by simply right-clicking the file, selecting Properties and viewing the Previous Versions tab to find earlier versions of the file. While shadow copies cannot replace an organizations current backup solution -- for example, shadow copies cannot protect them from data loss due to media failures -- shadow copies can reduce the number of restores of data from tape.
Volume Shadow Copy Service (VSS)

VSS is a general infrastructure service for creating point-in-time copies of data on a volume. The goal of VSS is to provide an efficient, robust, and useful mechanism for the next generation of data management applications. The advantage of this service is that client services such as Shadow Copy Restore in Windows Server 2003 and other backup applications can work without the need to stop activity on the server during the backup process. Windows Server 2003 gives the best of both worlds because it allows online backups to provide consistent data, without restricting backup access to open files.
Distributed File System (DFS)

DFS improvements include Integration with Microsoft Active Directory link costing. When DFS is implemented in conjunction with an organizations existing Active Directory service, DFS ranks all available client-server connections by the site link cost defined in Active Directory. Users can then transparently access data from the nearest available file replica. . For users, a DFS tree appears to be a single entity even though it can be drawn from numerous shared folders on computers throughout an enterprise. This allows users to easily find files or folders distributed across the network. DFS shares can also be published as Volume Objects in Active Directory and administration of them can be delegated.
Print Service Improvements

The Windows Server 2003 family provides many enhancements to the print system infrastructure. The most significant improvement recognized by Microsoft IT is the ability to consolidate print servers from 16 down to 4 with implementation of Windows Server 2003. Microsoft IT printing supports over 40,000 employees in Puget Sound. These 1300 print queues average 5 to 7 million pages printed each month.
Networking & Access

Several new and upgraded features related to networking in Windows Server 2003 are listed below.
Page 26 - 26 -
- 26 -
Wireless 802.1x
Several features and enhancements have been added to the Windows Server 2003 family to improve the experience in deploying wireless LAN networks, including automatic key management and user authentication and authorization prior to LAN access. These enhancements include the following: Enhanced Ethernet and Wireless Security (IEEE 802.1X Support) Previously, wireless LAN networking lacked an easy-to-deploy security solution with a key management system. Microsoft and several wireless LAN and PC vendors worked with the IEEE to define IEEE 802.1X, a standard for port-based network access control that applies to both Ethernet and Wireless LANs. Microsoft implemented IEEE 802.1X support in Windows XP and worked with wireless LAN vendors to support the standard in their access points. Wireless Zero Configuration In conjunction with the wireless network adapter, the Windows Server 2003 family autodetect and select from available wireless networks to configure connections to without user intervention. Settings for specific networks can be saved and automatically used the next time that wireless network is associated with a specific network. In the absence of an infrastructure network, the Windows Server 2003 family can configure the wireless adapter to use ad-hoc mode. Wireless Roaming Support Windows 2000 included enhancements for detecting the availability of a network and acting appropriately. These enhancements have been extended and supplemented in the Windows Server 2003 family to support the transitional nature of a wireless network. Features added in the Windows Server 2003 family include renewing the DHCP configuration upon reassociation, re-authentication when necessary, and choosing from multiple configuration options based on the network to which the computer is connected. Wireless Monitor Snap-In The Windows Server 2003 family includes a new Wireless Monitor snap-in that can be used to view wireless access point (AP) or wireless client configuration and statistical information. Password-based Authentication for Secure Wireless Connections The Windows Server 2003 family includes support for Protected Extensible Authentication Protocol (PEAP) for wireless network connections. With PEAP, administrators can use a password-based authentication method to securely authenticate wireless connections. PEAP creates an encrypted channel before the authentication process occurs. Therefore, password-based authentication exchanges are not subject to offline dictionary attacks. The Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is now available as an EAP authentication type. PEAP with the EAP version of MS-CHAP v2 allows users to have secure wireless authentication without administrators having to deploy a public key infrastructure (PKI) and instead install certificates on each wireless client. The Windows Server 2003 family Remote Authentication Dial-in User Service (RADIUS) server, known as the Internet Authentication Service (IAS), has also been enhanced to support PEAP. Group Policy Extension for Wireless Network Policies A new Wireless Network (IEEE 802.11) Policies Group Policy extension allows administrators to configure wireless network settings for all computers in each domain from a
- 27 -
single server source. Wireless network settings include the list of preferred networks, Wired Equivalent Privacy (WEP) settings, and IEEE 802.1X settings Administrators can configure wireless policies from the Computer Configuration/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies node in the Group Policy snap-in. Unauthenticated Access for Wireless LAN Connections Both the Windows Server 2003 family wireless client and IAS support unauthenticated wireless connections. In this case, Extensible Authentication Protocol-Transport Level Security (EAP-TLS) is used to perform one-way authentication of the IAS server certificate, and the wireless client does not send a user name or user credentials. To enable unauthenticated access for wireless clients, select Authenticate as guest when user or computer information is available on the Authentication tab from the properties of a wireless connection in the Network Connections folder. To enable unauthenticated access for the IAS server, the guest account is enabled and a remote access policy is configured that allows unauthenticated access for EAP-TLS connections using a group containing the guest account. The remote access policy can also specify a virtual LAN (VLAN) ID that corresponds to a temporary network segment for unauthenticated users.
Security
There were many security enhancements made to the Windows 2003 Server family of products. For example, only those services required for basic server function are on by default on installation, allowing administrators to turn on specific services as they are needed. In addition, security enhancements were made to many security features.
IP Security
There have been several improvements to IP Security (IPSec) in the Windows Server 2003 platform including the following:
Support for Resultant Set of Policy (RSoP). To enhance IPSec deployment and troubleshooting, IPSec now provides an extension to the (RSoP) snap-in. RSoP is an addition to Group Policy that administrators can use to view existing IPSec policy assignments and to simulate planned IPSec policy assignments for a computer or a user. To view existing policy assignments, administrators can run an RSoP logging mode query. To simulate planned IPSec policy assignments, administrators can run an RSoP planning mode query.
Command-line Management with the Netsh utility. Using commands in the Netsh IPSec context, an IT administrator can configure static or dynamic IPSec main mode settings, quick-mode settings, rules, and configuration parameters. The Netsh IPSec context replaces the Ipsecpol.exe tool provided with the Windows 2000 Server Resource Kits. An IT administrator can use this feature to script and automate IPSec configuration. IPSec fast failover support with NLB and Microsoft Cluster Service (MSCS) Clustering. Microsoft now supports Windows Server 2003 using IPSec transport mode Encapsulating Security Payload (ESP) to encrypt communication with clustered Windows Server 2003 servers using NLB, or MSCS. When used in LAN scenarios, failover times to re-establish IPsec connectivity to a cluster virtual IP are reduced to typically 3 to 6 seconds for administrative moves of clustered resources, or 2 minutes when a crash or other sudden connectivity loss occurs. An IT
Page 28 - 28 -
- 28 -
administrator can use this feature to improve the client experience when leveraging both IPSec and clustering to offer a more secure and reliable application environment.
Note: This feature is only provided with Enterprise Edition and Datacenter Edition.
Certificate Mapping to Active Directory Computer Account Provides Access Control. The IPSec Policies snap-in can now be configured to map a computer certificate to the computer account within an Active Directory forest. This takes advantage of the same certificate mapping that IIS and other PKI-enabled services use. After the certificate is mapped to a domain computer account, access controls can be set using the settings for network logon rights. A network administrator can now restrict access to a computer running a member of the Windows Server 2003 family using IPSec to allow access only to computers from a specific domain, computers that have a certificate from a particular issuing certification authority, a specific group of computers, or even a single computer.
Certificate Server / Services

When Microsoft IT first deployed an 802.1x wireless network, the PKI providing the security certificates was running on Windows 2000. The PKI provided the ability to automatically enroll the participating machines but not the participating user. Since Windows 2000 PKI does not support auto enrollment for users, Microsoft IT was forced to create a web-based enrollment tool to provision user certificates to the client. The user wishing to enroll for a user certificate for wireless use navigated to the web site and then clicked on the web tool. The tool then would enroll the certificate for the user. Windows Server 2003 PKI supports auto enrollment for users as well as machines. There is no need for the users to be directed to the web site to obtain their user certificates. The log on procedure automatically enrolls the necessary certificates, thereby reducing Microsoft IT overhead in administering and managing certificates.
Selective Authentication
Allowing implicit trust between resource domains can increase security risk to an organization. Microsoft IT does not implicitly trust domains managed by anyone other than Microsoft IT since Microsoft IT cannot ensure those environments are secure. Selective Authentication provides the ability to grant authentication privileges to a Microsoft IT-managed environment for users in another forest on a server or a service account basis. With Selective Authentication, Microsoft IT can allow specific user accounts from other environments to have minimal authentication into an Microsoft IT forest in order to access resources, or run applications between the environments. Selective Authentication helps to reduce exposure of Microsoft IT user accounts in non-Microsoft IT managed environments, especially where domain accounts are required to run computer services. In Microsoft ITs Extranet environment, for example, the Extranet forest trusts Microsoft ITs internal user forest, thereby allowing Microsoft IT users to access resources in the Extranet environment. For the few services that have to connect back to the Microsoft IT internal environment, application owners use specified internal user accounts to run the service and have restricted ability to initiate inbound network traffic. Since the majority of the Extranet account user accounts are not authenticated users in the Microsoft IT forest, the Microsoft IT forest is better protected from compromise through the Extranet environment.
- 29 -
Miscellaneous Features
Additional new and upgraded features are listed below.
Multi-Language User Interface Builds

Before having the Multi-Language User Interface (MUI) build, customers had to deploy different localized versions of the OS for their respective language. This proved to be a complex task in terms of deploying, supporting, and servicing multiple language versions of platforms inside corporate networks. MUI allows customers to rollout the same US English OS worldwide. Local users at different remote locations can select the UI language they want to use. It also allows users of different languages to share the same workstation. One user might choose to see system menus, dialogs, and other text in Japanese, while another user logging onto the same system can see the corresponding text in Simplified Chinese. Since MUI is an add-on package on top of standard US English, it does not change the OS binaries at all. The standard US English hot-fixes and service pack releases can be deployed on any MUI server in the world, rather than the specific localized language edition of the release. MUI is better in Windows Server 2003. More components of the OS are now localized, so the support is more comprehensive. Also, there are now native drivers for alternate language printers and input devices included in each pack. Microsoft IT supports servers in data centers throughout the world. English is sometimes a second language for Microsoft IT operators worldwide. When they access MUI servers, they can read the text on the screen in their native language, which affords them the confidence to support mission critical servers.
Remote Installation Services (RIS)

Key enhancements in RIS for Windows Server 2003 include support for deploying Windows XP Professional, Windows 2000, and Windows Server 2003. Previous RIS versions included support for deploying Windows 2000 Professional only. The new RIPrep image hardware abstraction layer (HAL) filtering feature offers operating system images to clients ensuring no HAL mismatches. The HAL is a layer of software that deals directly with the computer hardware. The HAL provides routines that enable a single device driver to support a device on different hardware platforms, making device driver development much easier. Different computer hardware may require a different HAL; therefore, prior to the HAL filtering feature, many RIPrep image installations would fail if the source computer used to create the image had a different HAL than is the one needed on the target computer. Additionally, new AutoEnter functionality in the Operating System Choice Wizard allows administrators to fully automate installs. Security enhancements for RIS include the ability to enable password encryption in the unattend file used to automate installs. The primary benefit for Microsoft IT in implementing RIS was to provide better support for client installs.
Terminal Services
The Terminal Server component of Windows Server 2003 builds on the solid foundation provided by the Application Server mode of Windows 2000 Terminal Services. Terminal Server allows IT administrators to deliver Windows-based applications, or even the Windows desktop itself, to virtually any computing device, including those that cannot run Windows.
Page 30 - 30 -
- 30 -
Terminal Server can enhance an enterprise's software deployment capabilities for a variety of scenarios that require non-traditional application distribution technologies.
Page 31 - 31 -
- 31 -
DEPLOYMENT
Deployment Planning Stages
Timeline and Phasing
There were four phases to Microsoft ITs successful deployment of Windows Server 2003:
Phase 1 Pilot Testing

The pilot testing phase for Windows Server 2003 was started early in the deployment plan. Each core infrastructure service was identified, and the baseline plan was created. The baseline plan documents the steps required to install, configure, and deliver the infrastructure service on Windows Server 2003, including the operating system itself. The baseline includes expected timescales from receiving the necessary components from Engineering right through to service delivery. The advantages to Microsoft IT of producing these documents are threefold:
Deployment steps provide step-by-step procedures for the support person carrying out the install. Management timescales provide clear communication regarding how long the installation of each server and service will take. This is useful information for staffing needs. Technical support and troubleshooting is expedited by checking the baseline against expected behavior if the installation goals are not being met.
Phase 2 Production Domains

Once each of the operating system release milestones had been through pilot testing, the next phase was to release it to the production environment. In Microsoft ITs ramped rollout process, one server in a group was upgraded and allowed to run for 48 hours while being monitored. Upon successful server operation of the upgraded system for the first 48 hours, the rollout continued, doubling the number of servers deployed every 24 hours. In this case, when no failures were encountered, one server was upgraded on day one, two servers on day three, four servers on day four, and the remaining three servers on day five. An average runtime of 7.2 days was achieved with a standard deviation of three days. The advantage of this scenario is the significant increase in runtime over a linear/serial rollout, with very little increase in risk. The advantage over other rollout methods is that the stability of the product is not assumed. Instead, more time is spent analyzing the behavior on a subset of systems before reaching a point of no return.
Phase 3 Global Rollout and Viability

The global rollout at Microsoft started after the first two deployment phases had been completed. The global rollout includes the execution of the baseline installation plans documented and refined during the first two phases. The documents are day driven rather than date driven. For example, the plan says, On day 1 ensure that the following components have arrived from engineering., On day 2 observe the systems installed on Day 1 and verify that.. This ensures that the installation documents can work anywhere, at anytime.
Page 32 - 32 -
- 32 -
Phase 4 - Reliability Testing

Part of the ship criteria for each of the milestone builds for Windows Server 2003 is that Microsoft IT runs a product reliability program. This study tracks progress from build to build on the stability, reliability, and availability of the product and its services, and it also, therefore, serves to prove a certain level of quality for each milestone build before it is released to manufacturing. Operating system reliability, stability, and availability was measured by examining each reboot across a subset of servers running the new build. The systems were carefully managed, and each reboot was analyzed for root cause. Reboots were captured and coded electronically using SET (shutdown event tracker). If the reboot was the result of an operating system failure (also known as a bug), then it was counted toward the downtime metric.
PADA
Microsoft runs an internal system called PADA that uses data collectors worldwide to pull Performance Log and Event Log information off of the production servers and brings it into a large database which can be used by Microsoft IT personnel to view availability and reliability data of each of the builds. This provides an availability measure per build which is used as the target to improve upon for the next subsequent build as well as pertinent performance data.
Benefits of the Technology

IAS and Radius
Previously in Windows 2000 Server IAS, each client had to be configured with its own shared secret. The shared secret is used by a RADIUS server to authenticate a RADIUS client. There was no method to copy, or save and restore the secret. When configuring hundreds of individual access points typing this secret can become tedious. Windows 2000 also lacked the capability to proxy for users of different forests or domains. Windows Server 2003 IAS supports RADIUS proxy functionality through the configuration of connection request policies and remote RADIUS server groups. This allowed Microsoft IT to configure access points to access a specific set of servers and to proxy requests from separate forests. For this example, connection request policies are created to match different portions of the User-Name RADIUS attribute corresponding to each account database (such as different Active Directory forests). RADIUS messages are forwarded to a member of the corresponding remote RADIUS server group matching the connection request policy.
Terminal Server Licensing (TSL)

Previously in Windows 2000 Server, temporary licenses were not cleaned up after the clients were issued a permanent license. This caused an incorrect number of clients to be registered, and there was some administration overhead to clean these up. In Windows Server 2003, TSL removes all temporary licenses that are expired for 30 days. This has allowed TSL to more accurately display the number of clients that have licenses issued and reduce the time spent by the administrator cleaning these licenses. For Microsoft IT, this feature helped to stabilize the license counts allowing a better understanding of the number of workstations being used to logon to Terminal Servers running in application mode. This information helps Microsoft IT make decisions on user impact when making changes to Terminal Servers.
- 33 -
WINS
Previously in Windows 2000 Server, only the PersonaNonGrata feature was configurable in the WINS MMC. Managing the replication of records based on owner IP was only possible by excluding owner IP addresses where replication was not required. In Windows Server 2003, the option is available in the MMC to either exclude (PersonaNonGrata) or include (PersonaGrata) records owned by other WINS servers. The WINS MMC has also been greatly improved with advanced sort and lookup functionality. For Microsoft IT, this feature has saved in configuration time for WINS servers since now rather than creating a PersonaNonGrata list of dozens of IP addresses to exclude, Microsoft IT simply maintains a small list of supported PersonaGrata server IP addresses. This also increases the data integrity of the WINS database as records from an un-approved WINS server will not be replicated until the IP address of that WINS server is added to the PersonaGrata list. Also, the new filtering capabilities facilitate troubleshooting and record identification by improving record lookup operations.
Microsoft Line of Business Applications (LOB)

Microsoft IT Microsoft deployed Windows Server 2003 with dozens of applications on over 1,100 servers prior to product release. Here are four examples of usage and benefits.
Microsoft.com
These applications are a majority of the Microsoft corporate websites, including www.microsoft.com, msdn.microsoft.com, windowsupdate.microsoft.com, support.microsoft.com, downloads.microsoft.com, and windowsmedia.microsoft.com. Microsoft IT has been running individual systems on Windows Server 2003 in production in this area since October 2001. In July 2002, the entire sites of www.microsoft.com and msdn.microsoft.com were being run on a beta version of Windows Server 2003. The largest benefit realized by moving to Windows Server 2003 has been an increase in availability, up .1% from Windows 2000 to 99.9% availability as measured through Keynote (http://www.keynote.com). A large portion of the availability increase can be directly attributed to the new process model of IIS 6.0, and its ability to proactively recycle applications based off of health. An obvious secondary benefit of the application recycling is a reduction in support costs, normally spent monitoring and restarting web servers. Another key benefit of IIS 6.0 is the much improved security model, which is by default locked down, and must be configured specifically for your application.
MS Sales
MS Sales is the Microsoft internally-developed worldwide revenue reporting system. MS Sales contains Microsoft products and includes sales and inventory data from distributors, resellers, and end customer purchases. This information is reported via a number of methods and once it is received, the data is scrubbed and business rules are applied; ultimately the data is then pushed out to data marts where the users can access the reported information. Now that Microsoft IT has installed Windows Server 2003, performance has improved for both SQL Server and Analysis Services due to improvements in scalability, memory management, and less I/O. This has decreased factory runtimes and allowed the Microsoft IT data to process about 10% faster. In addition to this, the use of Remote Desktop has
- 34 -
allowed Microsoft IT operations teams to remotely troubleshoot OS level issues, which provides better performance and reliability than previous methods.
SAP R/3
SAP R/3 is the Microsoft ERP solution running all of the key internal processes -- Finance, Sales and Distribution and HR among others. Microsoft IT runs a single central system with users located throughout the world. The business processes and data in the SAP system are extended to employees, vendors, and partners through internal applications built upon the SAP Connectors, BizTalk, and data feeds to downstream warehouse systems. R/3 has allowed Microsoft to run more efficiently through standardized business processes and providing information at users fingertips. The initial motivation for upgrading to Windows Server 2003 was participation in the internal early adopter program. Some of the benefits realized from upgrading to Windows Server 2003 include:
Enhanced Security Group Policy to control settings based on organization unit membership and server authentication and encryption through IPSec. Reduced Downtime from configuration changes at the OS level no Windows Server 2003 servers have been rebooted for an OS configuration change. Easier Administration through WMI command line tools and Remote Desktop for Administration (formerly known as TS in Admin mode).
Clarify
Clarify is a tool used throughout Product Support Services for creating and tracking service requests (cases) submitted by Microsoft customers and for contract management. Clarify tracks customer history, creation and maintenance of support contracts, identifies support history, and allows for full product issue searches. Customers can submit a question to Microsoft by telephone or through the Esupport system. Customers are entitled to support under Standard Warranty, Pay Per Incident, or by contract (Premier, Priority, Professional, and Alliance). Clarify is used to validate the customer's entitlement and route the request to the appropriate support queue. Support engineers and technical account managers accept cases from queues and then identify, research, and resolve the problem. Benefits gained from Windows 2003 server include:
Increased Security: With the new Internet Explorer Enhanced Security configuration, only trusted sites are accessible from the servers. Increased Application availability: Prior to Windows 2003 Server, SQL Server and the Microsoft Distributed Transaction Coordinator (MSDTC) had to be run on the same node of the cluster. The business unit was unable to failover MSDTC to other nodes without affecting the distributed transactions in SQL Server. With Windows 2003 server, the business unit is able to run MSDTC independent of SQL Server, which has increased application availability.
In addition to the above benefits, PSS is able to take advantage of the following features of Windows 2003 Server:
File system redirection: One of the business unit requirements is to run the Clarify application in the Terminal Server environment. The business unit was having trouble
Page 35 - 35 -
- 35 -
moving files from the user desktop to the Terminal Server client; however, this is no longer an issue with File System Redirection feature offered by Windows 2003 Server.
NLBS on Dual NICs: Prior to migrating to Windows 2003 Server, server load balancing had to take place on either the corporate network side NIC or on the Internet side NIC. This caused security concerns as the user base resided on both the corporate network as well as externally, and both wanted to access the same server. The security concerns were addressed by migrating the server to Windows 2003 Server which allows NLB on more than one Network Interface Card.
Page 36 - 36 -
- 36 -
LESSONS LEARNED
Microsoft IT is sharing these "lessons learned" in the hope that, when applicable, those reading this paper can apply them to their own environments.
If customers already have some experience with deploying one of the Windows 2000 Server family products, then the upgrade to Windows Server 2003 will be a very smooth one. No redesign of the Active Directory infrastructure was required to deploy Windows Server 2003. Microsoft IT did perform a small amount of domain consolidation, and also reduced the number of required domain controllers, but the main Active Directory infrastructure remained unchanged. During this particular deployment program, in-place upgrades proved to be the most appropriate upgrade mechanism for Microsoft IT because of the need for quick, simple, and cost-effective upgrades. The improvements in product security, reliability, and performance allowed Microsoft IT to adopt Windows Server 2003 Enterprise Edition as its preferred operating system for all platforms even prior to product release. Active Directory housekeeping is important, as the potential for more objects is likely to result in longer operations. Customers will find value in generating and using tailored operational procedures for deploying Windows Server 2003. For highly dispersed and global environments, implementing hardware, software, and procedures to remotely administer and upgrade servers should prove to be quite cost effective, while reducing downtime and the risks associated with upgrades. Asset management proved to be a key to successful deployment planning. Microsoft IT started with a good hardware inventory to ensure the most efficient upgrade possible for particular infrastructure hardware. In addition, compliance with server hardware standards was critical to the success of the Windows Server 2003 deployment. It is important to have a good change control process to reduce issues associated with lack of knowledge of concurrent work occurring in other groups within the organization.
Page 37 - 37 -
- 37 -
BEST PRACTICES
With any major operating system upgrade the following best practices apply:
The operating system should always be tested in a lab environment first. The operating system should also be tested and piloted in a small pre-production environment if possible. All business critical applications should be tested against the new operating system in a pilot testing environment before they are upgraded in the production environment. Having good documentation and well-defined processes will facilitate the success of any deployment project.
With Windows Server 2003 specifically the following best practices apply:
If Active Directory was already in place from an earlier Windows 2000 Server deployment, deploying Windows Server 2003 as an upgrade was not a difficult project to manage. However, if Active Directory is not in place, the migration effort will be more significant. Microsoft IT recommends that enterprises in this circumstance refer to existing deployment documentation written for Windows 2000 and Active Directory to obtain planning assistance for this project. Windows Server 2003 can be successfully deployed independently from the Windows XP client deployment. The only exceptions to this are the features in Windows XP that depend upon specific supporting features of Windows Server 2003, such as Real Time Communications (RTC) and wireless networking.
Page 38 - 38 -
- 38 -
CONCLUSION
By evaluating the performance, manageability, and reliability improvements and available features in Windows Server 2003, Microsoft IT accomplished its deployment goals for Windows Server 2003 at Microsoft: use Microsoft IT as a pre-release testing ground, stress test product features, run Windows Server 2003 forest mode prior to release to market, improve the environment through implementation of new features, have close to 20,000 mailboxes running on Exchange 2003, increase Microsoft IT network security, provide application compatibility, develop a repeatable deployment process, and reduce support overhead and infrastructure costs. Improvements such as WMI and administrative command line tools, Active Directory replication monitoring, domain controller rename, domain rename, linked value replication, cross-forest trust, IIS 6.0, and Smart Card administration capabilities provide easy-to-manage standards and scalability to meet the demands of a large, growing organization.
As part of the planning process, Microsoft IT closely examined deployment mechanisms. Microsoft IT deployed Windows Server 2003 in the primary data centers by using Terminal Services Remote Desktop connections running scripted installations. For smaller sites with no Microsoft IT staff, third-party remote control peripheral boards allowed the operations staff to perform tasks like firmware upgrades, recovery from failure where the OS was inaccessible, and to monitor the machine while the upgrade was in progress.
Windows Server 2003 forest functionality. Deploying Windows Server 2003 to all domain controllers throughout the forests provided an opportunity for testing deployment options for compatibility and interoperability. Close to 20,000 mailboxes running on Exchange 2003. Upgrading the Exchange infrastructure from Exchange 2000 to Exchange 2003, in conjunction with the Windows Server 2003 deployment, allowed Microsoft ITs users to benefit from the new features of both products. Increased Security. Utilizing Active Directory in Windows Server 2003 has allowed Microsoft IT to benefit from the additional security features such as Trust Management that make multiple forest management easier. Application Compatibility. Testing and proving the compatibility and advantages for many of the Microsoft line of business applications when running on Windows Server 2003 has provided Microsoft IT with data that can provide Microsoft customers with confidence when planning upgrades. Reduced Infrastructure Costs. As outlined in this paper, many of the new features and capabilities in the OS, as well as improvements to already existing features, has allowed Microsoft IT to provide the services that its demanding customers require without upgrading hardware, and to better manage its staffing requirements.
Page 39 - 39 -
- 39 -
FOR FURTHER INFORMATION

The latest information about Windows Server 2003 can be found at: http://www.microsoft.com/windowsserver2003/default.mspx. To view Windows Server 2003 Case Studies, please visit: http://www.microsoft.com/windowsserver2003/evaluation/casestudies/default.mspx. For an Overview of Windows Server 2003, please visit: http://www.microsoft.com/windowsserver2003/evaluation/default.mspx. To review the Features of Windows Server 2003, please visit: http://www.microsoft.com/windowsserver2003/evaluation/features/default.mspx. For the top 10 Reasons for Upgrading to Windows Server 2003 from Windows 2000, please visit: http://www.microsoft.com/windowsserver2003/evaluation/whyupgrade/top10w2k.mspx. For technical Resources for Windows Server 2003, please visit: http://www.microsoft.com/windowsserver2003/techinfo/default.mspx. For Developing Applications for Windows Server 2003, please visit: http://www.microsoft.com/windowsserver2003/developers/default.mspx. The Windows Resource Kits provide IT professionals with the technical information and tools they need to successfully deploy, manage, and support Windows operating systems. To browse the Web version see the Windows Resource Kits Web site at http://www.microsoft.com/windows/reskits/. The Resource Kit documentation for Windows XP and the Windows Server 2003 family includes the following:
Microsoft Windows XP Professional Resource Kit Microsoft Windows Server 2003 Deployment Kit Microsoft Windows Server 2003 Resource Kit
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to: http://www.microsoft.com/ http://www.microsoft.com/technet/itshowcase
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft grants you the right to reproduce this White Paper, in whole or in part, specifically and solely for the purpose of personal education. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Page 40 - 40 -
- 40 -
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. 2003 Microsoft Corporation. All rights reserved.
Page 41 - 41 -
- 41 -

Windows Server 2003 TWP

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Windows Server 2003 TWP

Diunggah oleh

Hak Cipta:

Format Tersedia

Deploying & Supporting Windows Server 2003

Experiences of Early Adoption at Microsoft

Technical White Paper

Benefits Reduced Downtime from

Deploying & Supporting Windows Server 2003

Deploying & Supporting Windows Server 2003

WINDOWS SERVER 2003 OPERATING

Product Family Editions

Deploying & Supporting Windows Server 2003

Deploying & Supporting Windows Server 2003

Internet Information Services 6.0

Lower Support Costs

Deploying & Supporting Windows Server 2003

The Team Model

Deployment Team Structure

Deploying & Supporting Windows Server 2003

P G roduct roup E utiv xec e

T ogy echnol Integration& Panning(T ) l IP P rogram M anagers

P t roduc G Liais roup on

M aging& ess C laboration ol

E s nterpri e A ic ons ppl ati

Drectory i M anagem ent

Deploying & Supporting Windows Server 2003

Deploying & Supporting Windows Server 2003

SVGA Recommended monitor/display (800x600) or higher

Table 1: Windows Server 2003 Hardware Requirements

Deploying & Supporting Windows Server 2003

Forest and Domain Structure

Corporate Windows Deploy Sustained Engineering Secondary Corporate Extranet

65,000 3,000 1,000 2,000 26,000

Table 2: Microsoft Corporate Forests

Lessons Learned from the Windows 2000 Deployment

Deploying & Supporting Windows Server 2003

Deploying & Supporting Windows Server 2003

Server Deployment Goals

Deploying & Supporting Windows Server 2003

Windows Server 2003 Forest Functionality

Single Service Infrastructure Servers

Print Server Upgrade

Upgrade Server Applications

Deploying & Supporting Windows Server 2003

Application and Web Services

IIS 6.0 Reliability

IIS 6.0 Scalability

Deploying & Supporting Windows Server 2003

IIS 6.0 Performance

Availability and Performance

Improved and Increased Cluster Support

Deploying & Supporting Windows Server 2003

Support for 64-Bit Architecture and Applications

Performance Monitor Logging To SQL Server

Directory Services (DS) Forest Management

Deploying & Supporting Windows Server 2003

Deploying & Supporting Windows Server 2003

Deactivation of Schema Attributes and Classes

Single Instance Storage (SIS)

Partial Attribute Set Change

Install Replica from Media

Domain Controller Rename

Linked Value Replication

DHCP Backup Options

File Service Improvements